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Insecure Apps & 
APIs are a 
Problem 


Your business depends on web 
applications 


Any app or API can be a foothold into 
your organization 

Developers are not incentivized for 
security 


Cloud-based apps are easy for 
developers to deploy 


Web Applications are 
Being Targeted 


> Most common data breach pattern * 


> Top hacking vector * 


Panera Bread 
Facebook (API) 
Google+ (API) 


Ashley Madison 


* Source: 2018 Verizon DBIR 


Apps & APIs are 


Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


_ Nu 
niu amazon O 
RA webservices 


Google Cloud Platform 


Microsoft 
Azure 


Apps in Public Clouds 


(e) 


REST APls 


New Apps 
under Development 
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Web Application Scanning 


Review 


Qualys WAS 


À leading dynamic application security 
testing (DAST) tool a 
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ñ Preview 
As Ss uoc ec crew UU] 


Updated by — | 23 Aug 2017 2 PM GMT:0800 | ETA 


Operating System: Windows Server 2003 R2 Service Pack 1 


Supports Selenium scripts EEE nme 
Malware monitoring as a bonus 


Built for the Enterprise 


----.- 


Web App Discovery 
Unlimited scans & 
users 
RBAC 


Tagging 


=" 


Scheduled scans 
Ad-hoc, targeted 
scans 
Multi-site scans 


Retest vulnerability 
Scan for malware 


Massive scalability 
Detection history 
Scheduled reports 
Customizable 
reports 
Swagger support 


----.- 


Robust API 
CI/CD integration 
Unique integration 

w/Qualys WAF 
Bi-directional 
integration with 

Bugcrowd 
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What's New in Qualys WAS 


Scanning REST 
APIs 


© 


https:// 
swagger.io 


#72 OPENAPI 


https:// 
www.openapis.or: 


Swagger is specification that 
describes a set of REST APIs 


Swagger file typically 
avallable from dev team 


Set Swagger file as target 
iex ss WAS 


API endpoints are 
automatically tested for 
vulnerabilities 


Swagger v2 JSON format 
currently supported 
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Automate Scans in CI/CD with 
Qualys WAS 


Staging Test / QA Dev 
Environment Environment Environment 
Developers 
| i 
Source 
Control 


WAS 
A — Engine 
— 
Qualys Scanner 
Appliance 


Jenkins 
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Jenkins Plugin for WAS 


Jenkins @ admin {10g out 


Overview 


Snippet Generator This Snippet Generator will help you learn the Pipeline Script code which can be used to define various steps. Pick a step you are 
interested in from the list, configure it, click Generate Pipeline Script, and you will see a Pipeline Script statement that would call the 
Step Reference step with that configuration. You may copy and paste the whole statement into your script, or pick up just the options you care about 
tee (Most parameters are optional and can be omitted in your script, leaving them at default values.) 
Steps 
Online Documentation 


Sample Step 
lið ick qualysWASScan: Qualys WAS Plugin for Jenkins 


Qualys 


API Login 


Provide details for accessing the Qualys Container Security AP 


API Server URL https://qualysapi.qualys.com 


Example: https://qualysapi.qual jor more information 


API Username: quays aa12 


API Password 


Ü Use Proxy Settings 


ction test sı full 
Connection test successful Test Connection 


Manual Testing Complements WAS 


Dynamic application testing is one piece of the AppSec puzzle 
Manual penetration testing important for your business-critical 
apps 
Qualys WAS offers: 

Bugcrowd integration 

Burp Suite integration 

Partnerships with consulting shops 
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Bi-directional Integration with 
Bugcrowd 


bugcrowd 


J 


Qualys WAS Burp Extension 


> a 


Burp Suite Web Application Scanning 


A quick, intuitive way to send Burp-discovered issues into WAS 
Provides centralized viewing/reporting of WAS detections + Burp issues 


Available in Burp's BApp Store 
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Qualys WAS Burp extension 


Burp Project Intruder Repeater Window Help 


{Dashboard | Target | Proxy | intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Qualys WAS | Attack Surface Detector 


[Extensions | BApp Store | APIs | Options | 


The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Name Installed | Rating Popularity |Lastupdated | Detail 


I 
PeopleSoft Token Extractor 11 Jan 2018 Qualys 
PHP Object Injection Check 01 Jun 2018 Pro extension The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 
Postman Integration 18 Sep 2018 Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 
Protobuf Decoder 20 Apr 2017 can then view and report Burp issues alongside WAS findings for a more complete picture of your web 
Proxy Action Rules 12 Jan 2018 application's security posture. 


Proxy Auto Config 24 Oct 2018 To learn more about Qualys WAS, its integration with Burp, and the additional security and compliance 
PsychoPATH 28 Jun 2018 solutions available in the Qualys Cloud Platform, please visit 
Python Scripter 28 Sep 2017 


Qualys WAS 06 Aug 2018 Pro extension 
Random IP Address Header 01 Jul 2014 

Reflected File Download C. 24 Jan 2017 

Reflected Parameters. 10Nov2014 Pro extension S. Qislys WAS arinn fac PE 
Reissue Request Scripter 23 Dec 2016 
Replicator 15Feb 2018 
Report To Elastic Search 10 May 2017 Pro extension . 


Request Highlighter 23 Jul 2018 
Request Minimizer 25 Jun 2018 © Supports all Qualys shared platforms as well as private cloud platforms 


Requirements: 


e Burp Suite Professional 1.7 or later 


Features: 


Straightforward setup and usage 


Request Randomizer 24 Jan 2017 e Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
Request Timer 08 Nov 2017 
Response Clusterer 06 Feb 2017 
Retire js 29Jun 2018 Pro extension e Option to purge or close existing Burp issues in WAS 
Reverse Proxy Detector 13 Feb 2017 
Same Origin Method Execu. 26 Jan 2017 
SAML Editor 01 Jui 2014 Usage: 
SAML Encoder / Decoder 01 Jui 2014 
SAML Raider 04 Nov 2016 1. Addthe extension to your instance of Burp Suite Professional by installing directly from the 
SAMLReQuest 06 Feb 2017 "BApp Store" tab within Burp or by loading the jar file from the Extensions tab. 

Scan Check Builder 300d2018 Pro extension 
Scan manual insertion point 24 May 2017 


TN € Upstream proxy server settings in Burp are honored automatically 


e Written in Java 


2. Inthe “Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password. 


Refresh list | | Manual install... | 


WAS Enhancements, YTD 


Sept 2018 : 
April 2018 June 2018 M engine 2018 : 2019 
Swagger Sq upgrade : 
Jenkins plugin Header injection XSS Power Mode 
Qualys Browser WebLogic RCE Tag apps upon import 
Recorder RichFaces RCE ESI injection 
Test Authentication "Spring Break" WebSocket detection 
Exclude darameters PrimeFaces RCE 
Jan 2018 May 2018 July 2018 Oct 2018 
CMS vulns Added CSV v2 Burp extension Blueimp file upload 
Multi-scan alerts report Results for cancelled scans 
Update QID Add'l CMS vulns Improved scan status 
mappings to 2017 
OWASP Top 1O 


Telerik crypto flaw 
Scan settings snapshot 


Retest multiple findings 
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Qualys WAS Roadmap 


Feb-Mar 2019 
: TLS 1.5 support 
2018 : 2019 SSL/TLS detections 
: Out-of-band detections 
Security header tests 
Enhanced crawling 
CyberArk PIM integration 


Dec 2018 : Jan 2019 Q2-Q3 2019 
Blind XPATH injection : Custom scan Elasticsearch 
Improved KB search : intensity New dashboard 
Custom report footer : Jenkins plugin v2 Ul modernization 
Burp & Bugcrowd findings added to : Support OpenAPI v3 
report : Support Postman 
Ignore finding time limit Collections 


"Launch Now" for scheduled report 
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oming in 2019 


Qualys. 


API Security ^ EN A N c Remi Le Mer (quays. 1158) 


Video Tutorials 


Get started with these quick steps 


Configure API Collections » 


Assess your API Collections » Related Community Posts 


Tweets 


Scan your API for compliancy > Qualys © 
the API e k 
Watch 9 short Reporting Strat 
Practices videos to get th 
Scan your API for vulnerability > Qualys data. vimeo com 
Quo 
Reporting Stutegies and Best Practices 


Configure API Enpoints > 


ate and Manage your API back 


Web Application Firewall 


Review 


Qualys WAF 


Integration with WAS 
Architecture improvements 
Integration with Docker 
Security Improvements 
Roadmap - standalone 
Roadmap - Integrated Suite 


© Qualys. er: 
Web Application Firewal She 

Dashboard Events Web Applications Security WAF Appliances 

Dashboard - All Web Applications All Vie Application Dr oim», 

Mon 08 Oct 2018 - Wed 07 Nov 2018 CT cm = = 
‚Activity Timeline 

Web Application Statistics 

His Blocked Event an 
EE 204 ll 656 BIN 196. 


Event Summary vents Traffic Origins 


Chant Bandwi 
196.2 MB 
Top En Trat 
^. 
l | : 
2 = 
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WAS / WAF Integration: ScanTrus 


Scan Trust : Challenge your WAF protection 
Assess both the application and the policy that protects it 


*ZZ Detection Managem 


Detection List Burp Bugcrowd 
Search Results [hene | 1-6of6 gv 
COTO. GUESS COTS — Status — QID Name Group * LastDetected Age Patch Severity 
a Filter Results (ALETA [| Protected 150 (9 Blind SQL Injection SQL den sas iar ii unl 
http-//waf-demo.qualys.com/bodgeit/login.jsp 
Confirmed Vulnerability Level 
Protected 150 (9 Blind SQL Injection SQL WENN 
1 02 03 04 85 http:/waf-demo.qualys.com/bodgeitlogin jsp 
Potential Vulnerability Level Protected 150001 © Reflected Cross-Site Scripting (XSS) Vulnerabilities xss MEMES 
http: //waf-demo qualys.com/bodgeil/search jst 
1 2 3 4 [15 
Protected 150 (9 Browser-Specific Cross-Site Scripting Vulnerabilities XSS Li1111 
Sensitive Content Level wat-demo.qualys.com/bodgeit/search.isr 
10203 O4 05 Fixed 1001 (9 Reflected Cross-Site Scripting (XSS) Vulnerabilities ES 2 15 ENNEN 
http://waf-demo.qualys.com/search jsp 
Information Gathered Level 
[Y] New 150001 @ Reflected Cross-Site Scripting (XSS) Vulnerabilities EN Quick actions | 716 CETERI 
1 02 O83 O4 Os http;//wat-demo.qualys.com/search.jsp View | 
Status Ignore 
New 
Active Install Patch 
Re-Opened 
Protected Edit Severity 
Fixed 
Group External References 
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WAS / WAF Integration: Virtual Patch 


Virtual Patch : One-click mitigation tool for 
CISO teams 


Ruin rom within WAS to address Conilrmed threats 


on Management a You are about to install a virtual patch 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 
Patch 


Patch Details View Detection. 


When request.header.content-type MATCH "*.*\%.*\{.*multipart/form-data$" 


New 1 (féquest path MATCH. ^[a-zA-Z0-9V ^ vo]... 
2 [request header contenttype! MATCH ~.*\%.*\{.*multipart... 
3 (request Reader! Content-Type DETECT 150173 
New 4 request query-string parameter p MATCH ^.*admin.*$ 


ime era ul 


ken ei 
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What's New in Qualys WAF 


Supported 
Pl a t fo rm S Select Virtual Appliance Image 4 


Choose the virtualization platform you want to use to run your WAF appliance on. 


Platform Details 


© ie VMware Standard VMware virtualization platform 
Microsoft Hyper-V 5.1 virtualization platform 
Amazon EC2-Classic, Amazon EC2-VPC 


Shared and Private 


Microsoft Azure platform 


Qualys (IS Platforms Google Cloud platform 


Docker platform 


Cancel Previous | 
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WAF Architecture Improvements 


Easy and usable Architecture 


Virtual Reverse-Proxy 


Cluster-able within hybrid topologies 9 9 © © © © 
Load-Balancing capabilities 


SSL/TLS cipher suite categories 
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WAF Architecture Improvements 


Virtual Appliance & Container (v1.5.3) 


XML/JSON content inspection 


Docker Host integration for backend automation A: 
Better performance 


Scheduled upgrades doc ker 


Orchestration via Qualys API 
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Docker 


Controls : 
- containers (start | stop | delete | inspect) 


- networks 
- images (pull | push | delete) 


Single Host 


> docker 


registry I 
images 


á Container Contaiher | 


(í Container ^ 
#2 


| 
| 
| 
| 
| 
| 
] 
\ » 


Docker network 


Physical network 


Access to docker services 
via unix sockets 


Stores images 
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Container 


#1 


Physical network 


Multiple Hosts 


AA] Containef 
#1 


e 


| Physical network 


Y 


á Access to docker services 
> via network sockets 
P4 


| Physical network 


Security Improvements 


Custom Rules: write and manage your own filters 
XML/JSON inspection 
Virtual Patches and Event Exceptions 
Latency control 
Rewriting capabilities (headers) 


Qualys Rulesets and Templates 
DAG based inspection, programmable logic 
Drupal 8.0.x, Joomla 3.4.x, Magento 2.5-2.6, Wordpress 4.2.x-4.3.x 
JBoss 4.x-7.x, OWA 2010-2017, Sharepoint 2010-2017, Tomcat 8.0.x 
Qualys Generics for unknown apps 
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Qualys WAF Roadmap 


WAF Roadmap - Standalone 


2018 : 2019 Mar 2019 Q3 2019 
: Templates Appliance empowered 
API Generics, Microsoft with 
ADES JD Edwards Network Clustering 
Dec 2018 : Jan 2019 Q2 2019 Q4 2019 
New Custom Rules keys : Appliance Major Release Customizable Dashboard Traffic Management 
+Community Library : (v1.6.0) Alert Reports ddos 
Revamped Security : TLSv1.3, HTTP/2, Improved RBAC ip-reputation 
Events : Improved network Bots 
* management capabilities Scraping 
Enriched CLI and local 


events logs 
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WAF Roadmap - Integrated Suite 


2018 | 2019 
: Mar 2019 Q3 2019 
WAS reports with Virtual Patch supports 
ScanTrust details Burp and Bug Bounties 
Dec 2018 : Jan 2019 Q2 2019 G4 2019 
Al - Feed Application : UD - WAF widgets and App's Sitemap v2 CV -fetch apps 
inventory with backend E queries (WAS & WAP) grade and patch 
information i SSE 
ScanTrust enabled on implementation 
VM 
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Thank You 


Dave Ferguson - dferguson@qualys.com 
Remi Le Mer - rlemer@qualys.com 


